Guest blog: Author - David Campbell, DPA/OK
Complying with the new data protection law ("GDPR") - what to do now
Many Midlands based businesses process the personal data of their customers and employees. If you do, you need to ensure you are compliant with the new law by 25th May 2018 - just over 6 months from now.
A new General Data Protection Regulation (GDPR) Bill is going through parliament, which will become law in due course. What we do know from the bill is that GDPR - which is a European Union wide piece of legislation - will apply in the U.K. even after Brexit.
Guidance on data protection law is provided by the Information Commissioner (‘ICO’). The Commissioner plans to offer additional guidance between now and when GDPR comes into force.
To minimise the risk of you not being compliant with the law after the above date, you should be taking the following steps now:
- Find out exactly what personal information you hold. This is information that relates to an individual (employees and customers) who can be identified from it. Check to make sure it is accurate and up to date. Why do you have it? If you no longer need it for a business purpose -get rid of it. Conduct a data flow exercise so you can see how you gather information, what you do with it, who gets to see it, who it is shared with etc.
- Review what part of the law permits you to lawfully process employee/ customer information. Did they consent or is it to fulfil an order etc. On the subject of consent was it freely given by the customer, and were they fully aware of exactly what they were consenting to?
- Under the new law, you will need to provide additional information (such as the legal basis for the processing of information- see previous point) to employees/ customers when they provide information to you. How do they provide information – over the phone, on forms, via your website? Review any privacy notices that you have to make sure that they are fit for purpose. If they are not – revamp them.
- Do you outsource the processing of your employee/customer personal data to someone else? You MUST have a written contract with them. GDPR imposes additional obligations on processors. Do they have appropriate security in place to keep your data safe? Have you checked that what they say they do to keep information safe they actually do? Review any contracts you have and revamp them to make sure they are compliant.
- Your employees/customers will have enhanced rights as regards their information. They can ask for access, rectification, restriction, erasure etc. Do you have a procedure if an individual decides to exercise a right? If you don’t comply with a request you may find yourself on the end of a court application or a referral to the ICO.
- Do your staff have an awareness of data protection? You need to take appropriate measures to prevent unauthorised access to or loss/destruction of personal data. If you haven’t trained your staff and they don’t understand any policy or procedures can you say you have taken appropriate measures?
David Campbell is a Consultant/ Trainer in data protection.